4/21 UPDATE: A site exposing the leaked data has been made. Some people say, don’t share and shut the site down. I have no position.. damned if you do (people won’t know which info is floating around) and if you don’t (everyone else will know your data). With 55-70M records… you can pretty much assume some of your data is floating around on the web.
So COMELEC let 55-70M voters’ sensitive information slip through their fingers… COMELEC is saying it’s not a big deal… BUT IT IS A FUCKING BIG DEAL
“Regardless whether the hacking could affect the elections, there is still the issue of all voter information that was leaked,” according to Trend Micro.
3 Reasons Why This Should Be Bigger Deal than any of the presidentiables’ bullshit:
- The leaked info is specific. And freely available online for malicious people to use.
- Comelec tried to brush it off – said it wasn’t sensitive info. And that it hasn’t been verified. TrendMicro reported differently. SERIOUSLY!!!!! FUCK THEM!
- Troy Hunt (a respected cyber security expert) attempted to authenticate the data leak – and so far so bad. It looks like it’s legit.
I can just imagine future news reports with – “Nang dumating ako sa immigration, laking gulat ko na hindi ako pinalampas ng immigration officer….Wala akong kamuang-muang hinuli na ako ng pulis dahil wanted daw ako for drug trafficking.” – said the Filipino who’s identity was stolen in that 2016 data breach
And in more detail
1. The leaked info is specific. And freely available online for malicious people to use.
Your name, email address, physical address, birthdate, mother’s maiden name, fingerprints have been compromised. It’s been made freely available online for download through torrents available for malicious people to use in identity theft, for crimes, fraud. etc. Even if parts of the data is encrypted since it’s been made available its only a matter of time for them to decrypt the information.
“The data, which has been widely distributed on both the dark and clear web, comprises of 228,605 email addresses; 1.3 million passport numbers and expiry dates of overseas Filipino voters; and 15.8 million fingerprint records.” Other data contained within the breach, which security researchers believe to be authentic, includes physical address, place of birth, height, weight, gender, marital status and parents’ names. All of this information was unencrypted. Some data, such as first and last names and dates of birth, was encrypted. “Once you start combining these attributes, your ability to impersonate someone is greatly enhanced,” Hunt said.” – Wired.co.uk
“The Filipino breach has been very broadly distributed. Not only has it been readily available for download from multiple locations on the clear web, it’s been quite extensively torrented too. The genie is well and truly out of the bottle and it won’t be going back in. The data consists of 76GB worth of (usually) compressed files, most notably a MySQL backup that expands out to 338GB. There’s a raft of other .sql files in the breach as well ranging from a few KB up to hundreds of MB.”” – Troy Hunt
“Philippine factions of Anonymous and LulzSec are not selling the stolen data on the black market for financial gain, but have made it public to shame the various agencies which should be protecting that data into doing so,” he added. However, the breach also opens up the potential for other nefarious groups and criminal organizations to take advantage of the leaked data and use it against the individuals who have information in those databases. According to Wenzler, this is where the hacktivism effort becomes an issue. “While the Comelec absolutely has a responsibility to protect constituent data, and should be held accountable for this breach, the potential threat caused by the hacktivist groups in publishing this data publicly may cause even greater harm in the long run.” “The fallout from this breach will be years in the making, but hopefully all parties involved will be taking immediate steps to minimize the damage to the citizens affected by this loss,” Wenzler concluded.” – Security Week
“With those data out there, Oliveria said that the end users – or in this case, registered voters – “are at risk of the usual scams or identity theft. That may happen.” He added that while technical skills are needed to open the leaked files, “the fact remains that the data is already in public space.” “If somebody has the intent or drive to actually go through the data and sort through it, or sell it in underground markets, he or she could take advantage of that,” Oliveria noted.” – Rappler
What can be done with the data of 55M Filipinos:
Any ID can be made. Not fake IDs but REAL IDs… just with a different face – The Identity Thief’s face
- they could commit a crime and leave your “ID” behind to direct police to you
- The thief can open a bank account, get a loan, apply for a credit card, or just take the money you do have
- Access your personal accounts – the verification questions often ask for birthdate and mothers maiden name
- buy a house or car or some other big ticket item
Here’s just some top of head:
- digital dagdag-bawas in the upcoming elections
- the dead brought back to digital life to vote
- your good name is tarnished another “you” exists on social media and behaves badly
- you visa is denied because “you” have a suspicious history
- an overseas employer does a background check… and finds something horrific
- you can’t borrow money from formal institutions
- you can be liable for millions of dollars/pesos/etc. that “you” borrowed
- you could be put in jail for a crime “you” committed
- your email address could be used in oh so many ways… porn buying, spamming-scamming your friends
These data records are sold in the underground market for a lot of money to people with malicious intent. 55M people are more vulnerable to identity theft and fraud now thanks to this.
“Cybercriminals can choose from a wide range of activities to use the information gathered from the data breach to perform acts of extortion,” the firm explained. “In previous cases of data breaches, stolen data has been used to access bank accounts, gather further information about specific persons, used as leverage for spear phishing emails, blackmail, extortion, and much more. With 55 million registered voters in the Philippines, this leak may turn out as the biggest government-related data breach in history.” – Trend Micro
“Hunt contacted five people included in the breach to verify if the information leaked about them was accurate. All five replied to confirm that the information Hunt had found was true. “This thing is so freaking huge. This is very sensitive data,” Hunt said, referring specifically to unencrypted passport information of overseas Filipino voters. “With it being leaked, we might be looking at the revocation of these passports.” – Wired.co.uk
For more on what’s the worst that could happen to you? Read this→ https://www.privacyrights.org/ar/id_theft.htm
2. Comelec tried to brush it off – said it wasn’t sensitive info. And that it hasn’t been verified. TrendMicro reported differently. SERIOUSLY!!!!! FUCK THEM!
Stupid stuff they have said
““Worst case scenario is naka-kopya sila (they have copied it), but even then, there is no way for us to know if it is a faithful reproduction of what [the Comelec has],” – Rappler
““[They] have a list of names and addresses. That’s pretty much it. I think it’s going to be more complicated than that, when creating a bank account, for instance.” – Rappler
“Comelec Spokesman James Jimenez says no vital voter information such as fingerprints or photos were recovered by the hackers who struck at the end of March.” – Asia Times, thought the Trend Micro article says that there were a huge number of fingerprint files…
“Analysis of the data by computer security firm Trend Micro also found fields headed ‘VOTESOBTAINED’, which suggests the system may have been intended for counting votes for candidates. A vote to elect a new president and vice president will take place on May 9.” – Wired.co.uk
4. Troy Hunt (a respected cyber security expert) attempted to authenticate the data leak – and so far so bad. It looks like it’s legit.
“Amongst the huge volume of data is a total of 228,605 email addresses. This may sound like a small number out of the 55M records, but according to reports, a lot of the sensitive data such as passport numbers belongs to a “mere” 1.3M overseas voters. It’s entirely conceivable that records are not complete across all these individuals, but at least the email addresses gave me a verification avenue.”
“At the time of writing, I have 367k verified subscribers in Have I been pwned (HIBP)… Part of the reason why I particularly wanted to do that with this breach is because of this statement by COMELEC officials (emphasis mine): “Again, I want to emphasize that the database in our website is accessible to the public. There is no sensitive information there.””
“Yesterday I emailed a number of HIBP subscribers and got back some pretty quick responses with everyone willing to assist.”
“The 228,605 email addresses in the breach are now searchable in HIBP. I actually had to create five new data classes when loading this breach, that is I’d never seen this information in a breach before: Marital statuses, Biometric data, Physical attributes, Family members’ names”
Sigh… I’m not articulate enough to be able to do justice to why this is a SUPER BIG DEAL. Let’s just say there’s a new feather in our cap, one I’d rather people burn at the stake for.
“Philippines Election Commission Attack Might Be The Largest Data Breach Ever”
Check out these articles for more info: